The payment card industry data security standard (PCI DSS) update has just been released – if you’re a business that processes card data this will probably be a pretty familiar term to you. Our resident security analyst Steve explains what you need to know in light of the update and how it can make your life a whole lot easier if you get prepared now.
A bit of background…
The standard is made up of 12 different requirement groups, which further break down into over 200 individual controls. Each of these controls is geared towards improving the security of your payment processing platform, from firewall implementation and maintenance to ensuring there are substantial physical controls and CCTV on your premises.
What’s the deal with the new release?
The most current release adds even further to the confusion by a change of its format and update cycle, it’s not surprising more and more businesses are outsourcing PCI DSS management to service providers.
Hopefully the following will help simplify the headache that is PCI compliance and provide an insight into what’s changed and how it effects your compliance.
PCI DSS has moved towards a yearly update to its standard, ditching its three year cycle. This is a big change for the standard and step in the right direction. The threat landscape is evolving faster and faster with vulnerabilities being exposed in current technologies on a regular basis; (Multiple OpenSSL weaknesses, DROWN, Badlock bug, to name a few).
Moving forward, smaller more frequent changes will be required and organisations that can strategically adapt and implement these changes will ensure their Card Data Environment (CDE) remains complaint with a heightened level of security.
What’s new within the standard’s controls?
With this release there has been a move towards putting more responsibility on the service provider. This is a refreshing move as more and more businesses that fall under the PCI standard are using service providers much more frequently to de-scope their businesses and remove the stress of dealing with the 220 requirements PCI mandates.
Managing these would require a full time employee. Outsourcing to a service provider sees overheads reduced to a fraction of the price if PCI DSS compliance, so it makes sense to create more liability around the providers.
Other changes that have the most significance for merchants are:
A large amount of these controls are documented as being “best practise” for the next two years and not a requirement, but any serious service provider will be implementing these ASAP or have them already in place as part of their security management system.
(By providing services to clients, surely you would want to have a level of assurance that says they are doing as much as possible to keep you protected and not just doing it to comply with an industry standard anyway!)
UKFast will be moving towards PCI DSS 3.2 within the next few months and fulfilling every control that is applicable to us as a service provider, best practise or a requirement.
Give us a call on 0208 045 4945 to find out more about ensuring you’re sorted well in advance!